Devin Chwastyk & Greg Archibald
A recent decision from the Third Circuit suggests that the leak of information onto the Dark Web provides standing to class action plaintiffs in data breach litigation. In Clemens v. ExecuPharm, Inc., 48 F.4th 146 (3d Cir. 2022), the Defendant employer suffered a data breach that permitted a ransomware gang to steal sensitive information pertaining to the Defendant’s current and former employees. Eventually, the hackers posted the data on underground websites located on the Dark Web.
The plaintiff, a former employee whose data was stolen by the hackers, filed a class action lawsuit on behalf of herself and other employees whose information was accessed. However, the plaintiff did not allege that she (or any other employees) suffered any financial losses as a result of the breach. Since showing financial harm is traditionally a required element to establish standing, the District Court dismissed the case.
However, the Third Circuit reversed. Interpreting the U.S. Supreme Court’s holding in Transunion[1], the Third Circuit held that the leak of information onto the Dark Web by itself constitutes an “injury-in-fact” sufficient to provide standing to sue in federal court. Explaining their decision, the Third Circuit wrote, “Because we can reasonably assume that many of those who visit the Dark Web, and especially those who seek out and access [the ransomware group’s] posts, do so with nefarious intent, it follows that Clemens faces a substantial risk of identify theft or fraud by virtue of her personal information being made available on underground websites…”
In light of this decision, and the increasingly digitized world, employers are strongly encouraged to implement appropriate security measures and ensure that those measures continue to comply with ever-changing industry standards. Failure to take these preventative measures could leave employer networks vulnerable to data breach, subjecting employers to potential liability for the breach of employee or customer data itself, let alone the financial consequences that could result if such information is misused.
[1] In this case, the U.S. Supreme Court held that an allegation of a risk of future harm is sufficient to establish an injury-in-fact for standing purposes, if such risk of future harm is “sufficiently imminent and substantial.” TransUnion LLC v. Ramirez, __ U.S. __, 141 S.Ct. 2190, 2210-11 (2021).